Magazine | October 19, 2015, Issue

Hopelessly Hackable Feds

What a data breach tells us about our government

‘I guess everybody is going to know what kind of porn I like.”

Not something one hears at a lot of business meetings, but the guy had a point: We were in the middle of DEF CON, the annual hackers’ convention in Las Vegas, and he had broken the cardinal rule: Never use the Wi-Fi. Nearby, the user names and passwords of the unwary were displayed for public amusement on the Wall of Sheep. The scene is High Hacker Camp, a carnival of nerdery overseen by a fellow who calls himself “Dark Tangent.”

The gray men from Washington want to be here — they need to, really — and they’re making nice after having been disinvited from the 2013 convention in protest of the prosecution of Edward Snowden. The Federal Trade Commission, which has become the de facto federal police department for consumer-privacy violations, underwrites DEF CON contests, and DARPA, the Pentagon’s mad-scientist venture-capital division, is a convention regular. Representative Will Hurd (R., Texas) is here, too, talking about the hijacking of vast quantities of personal data, ranging from background checks and financial information to fingerprints, from the poorly secured network operated by the federal Office of Personnel Management (OPM). Hurd, a former CIA agent and a partner in a cybersecurity firm, is here looking for help. The best way to defend against hackers, he tells a Motherboard reporter, is to have a hacker mentality.

Or to have the hackers. Dark Tangent? His real name is Jeff Moss, and he sits on the Department of Homeland Security’s advisory council.

Talk of the OPM hack has been twittering through official Washington for months as federal employees, contractors, and people who simply applied for a government job once upon a time share news of getting “the letter,” a note from Uncle Stupid informing them that their files are among those compromised by the hack. There’s something kind of beautiful in the government’s using 18th-century technology — the U.S. Postal Service — to inform its employees and would-have-been employees that it cannot handle anything more advanced.

Hack victims are being offered a year’s worth of free identity protection and credit-monitoring services, which many have characterized as inadequate. There have been episodes of identity theft, credit-card fraud, and the like — the letter specifically disclaims government liability for any of that, of course — but for the vast majority of federal workers it will be impossible to know whether such misfortunes are related to those OPM files. “The ineptitude and lack of accountability rankles,” says one federal worker, who adds that he mostly worries about possible criminal use of his information — he doubts that he and his wife are big enough fish to be targeted by foreign intelligence services. “Since we’re nobodies, any consequences for us will be remote enough that we won’t be able to definitively trace them back to OPM — that lack of accountability, again.”

Christopher Minakowski got his letter, too, but he is taking things in stride. “I know I should be more concerned than I am,” he says. One of the reasons for the former Hill staffer’s relative nonchalance is that before the OPM news came he already had been involved in a series of security failures in the private sector — Home Depot, Target, and a health-care provider — without much consequence. But he had a federal security clearance, which means that there’s a lot more sensitive information in his OPM file than on his Home Depot account. “I’m sure tomorrow my Social Security number, my American Express number, and a forgotten video of me insulting disabled kids will show up on the screen in Times Square.”

But of course the ChiComs — and everybody knows it was the ChiComs, and everybody knows that everybody knows it was the ChiComs, which made Xi Jinping’s cretinous wan little grin as he shook hands with Barack Obama and announced a new cybersecurity agreement in September all the more unbearable — didn’t hack the OPM because they wanted to run up bills at Armani Exchange on some unsuspecting bureaucrat’s gold card. Their agenda is espionage, blackmail, extortion, and murder. They were looking for, among other things, Standard Form 86, “Questionnaire for National Security Positions.” OPM bosses dissembled to the public, to Congress, and to journalists about whether that information had been accessed, but almost certainly it was. SF86 provides those hackers with what one security expert describes as a “phone book” of federal employees with access to sensitive information. The phone numbers are indeed there, but a lot more is, too: who your neighbors are, where you went to high school, whom you roomed with in college, foreign countries you’ve visited, connections you or your family may have abroad, etc. If you’ve got a mother-in-law in Shanghai, Beijing knows, which might be of some concern to you if you are engaged in diplomacy or trade negotiations — or espionage.

It’s the world’s greatest blackmail file.

If you think you’ve seen this movie before, you have: It was the plot of Brian de Palma’s Mission: Impossible. You might remember that terrific set piece where Tom Cruise dangles from the ceiling in a harness when he has to break into CIA headquarters to retrieve a top-secret list of intelligence operators. Remember why he had to do that? Because the imaginary federal government wanted to keep its employee data secure, and for that reason the computer holding the data was physically isolated from any network — if you’re not on a network, you can’t be hacked remotely. But the real-life federal government isn’t as good as the cinematic one — in real life, this stuff is connected to the Internet. If you should read the Pentagon’s support literature on Scattered Castles, the intelligence community’s in-house database of security clearances (which may itself have been compromised in the OPM hack), you might be amused to learn that “the Scattered Castles web application will only support the following internet browsers: Netscape 7.0 or higher.” Netscape.

“This info should have been sequestered from any open network, much more the public Internet,” Minakowski says. “Also, the fact that the Chinese seem to have had access to the database for a year is insane — I’m sure at some point they thought it must have been a honeypot, because the level of malpractice was so staggering they couldn’t have believed it was real.”

The Obama administration is sticking to its line that this was a criminal endeavor rather than an act of war — that Beijing wouldn’t “deploy resources to get the Social Security number of clerks at the Commerce Department,” as Rob Knake, formerly of the National Security Council, put it. Once again, though, real life isn’t like the movies. Intelligence agencies spy on one another all the time, but that’s a relatively high-cost/low-return exercise: It is in reality difficult to blackmail or extort intelligence operatives, because they are trained to deal with that sort of thing and because their agencies constantly are on the lookout for it. The day-to-day stuff is more along the lines of tricking a manager at the Treasury Department out of his systems-administrator password with a phishing scheme, or, as our own CIA has been known to do, collaborating with friendly local police to blackmail corrupt officials who do not know that their crimes already are known to the authorities (see Joseph Burkholder Smith, Portrait of a Cold Warrior). And for that, the sort of information compromised in the OPM hack is very valuable.

Worse yet, the hack also compromised fingerprint files, which could be used to defeat biometric security devices.

Representative Hurd argues that identity-theft hacking is “bad enough,” but worries more about “the grave impact of the theft of information belonging to those who are tasked with protecting America’s most sensitive information.” Accordingly, he has introduced the Einstein Act of 2015, currently marinating in committee.

The Einstein Act would allow for the broader use of something called the Einstein 3 Accelerated program — E3A, as it is known — an interesting tool for detecting and combating hacker attacks. E3A examines Internet traffic to and from the vast and varied world of .gov and looks for patterns and anomalies, flagging and blocking traffic thought to be hostile. But it is a tricky business, because it involves the use of information that is classified or else “could be considered PII” — that’s “personally identifiable information,” and it’s an automatic red flag for privacy concerns. The DHS report on the related privacy concerns predictably argues that, while your personally identifiable information (say, an e-mail address or a telephone number) could make its way into a spook database, it isn’t really personally identifiable information if the spooks aren’t spying on you per se: “DHS uses the phrase ‘information that could be considered PII’ because . . . in the context of E3A, these types of information are not used to identify an individual; instead, they are used as a reference point for particular known or suspected cyber threats.”

Okey-dokey.

E3A probably will help, but it isn’t going to be enough, and Hurd himself is quick to dismiss the notion that there exists a “silver bullet” for data security. The fundamental problem with data security is the fundamental problem with practically everything else in Washington: bureaucratic inertia combined with deficient institutions and insufficient oversight. Hurd complains that federal agencies year after year get reports from their inspectors general informing them that their computer networks are not secure, and year after year do approximately nothing about it — something the FTC would hand down multimillion-dollar fines over if these were private enterprises rather than government agencies. It isn’t the technology, it’s the people. When Senator Ron Wyden (D., Ore.) sent National Counterintelligence Executive William Evanina a letter demanding to know what our counterintelligence guys were up to as regards the pressing counterintelligence matter at OPM, he got back a short reply reading, in essence, “Not our job.” In the original bureaucratese: “The statutory authorities of the National Counterintelligence Executive . . . do not include identifying information technology (IT) vulnerabilities to agencies.”

The smart money’s on the Chinese hackers.

In This Issue

Articles

Politics & Policy

Hung Up on Israel

At the recent Republican presidential debate, many of the candidates mentioned Israel. Jeb Bush, for example, said that we need to reestablish “our commitment to Israel, which has been altered ...

Features

Books, Arts & Manners

Politics & Policy

Super K, Revisited

‘Surely no statesman in modern times, and certainly no American secretary of state, has been as revered and then as reviled as Henry Kissinger.” So begins Niall Ferguson’s monumental biography, ...
Politics & Policy

Bedeviled

Black Mass, in which a cadaverous Johnny Depp portrays James “Whitey” Bulger, the famous Boston gangster and FBI informant, is the kind of movie that gives competence a bad name. ...
Country Life

Duskfall

Kids come back to college at the end of August, but night comes back into its own at the end of September, so between freshman orientation and the equinox is ...

Sections

Politics & Policy

Letters

Crime and Over-punishment It is surprising that the editors of National Review would publish Stephanos Bibas’s article, which describes at length the harmful social effects of keeping convicted criminals behind bars ...
Politics & Policy

The Week

‐ The New York City Council honored Ethel Rosenberg. One hundred million people were unavailable for comment. ‐ If Donald Trump stopped insulting people, he would practically be rendered mute, but ...
Athwart

Gruel, Britannia

Story from the Telegraph: “Meat should be treated like tobacco with a public campaign to stop people eating it, Jeremy Corbyn’s new vegan shadow farming minister Kerry McCarthy has suggested.” “Shadow” ...
Politics & Policy

Poetry

THE GARDEN Nothing to do with me, All that it grows: Whatever I might see – A vole, a rose. Who gives, who takes away? Look how it grieves, How what shoots up today Falls among thieves, While in ...
Happy Warrior

Happier Warrior

For most of human existence, the average man could look forward to a relatively short life of chasing game or extracting enough sustenance from the ground that his family could ...

Most Popular

U.S.

Americans Are Royally Confused about Monarchy

Conventional wisdom regarding America’s relationship with royalty goes something like this: Americans have no time for monarchy as a political concept but can’t get enough of the British royal family. The American media’s round-the-clock coverage of the recent royal wedding certainly seems ample evidence of ... Read More
Elections

The Trump Rationale

Why exactly did nearly half the country vote for Donald Trump? Why also did the arguments of Never Trump Republicans and conservatives have marginal effect on voters? Despite vehement denunciations of the Trump candidacy from many pundits on the right and in the media, Trump nonetheless got about the same ... Read More
Politics & Policy

The Collapse of the Collusion Narrative

It is now clear that Russian attempts at interference in the 2016 election, though somewhat outrageous, were ineffectual, unconnected with any particular party, a small effort given what a country of Russia’s resources and taste for political skullduggery and chicanery is capable of, and minor compared with the ... Read More
Politics & Policy

Trump’s Superpower

President Trump has a magic power. No, it isn’t the ability to engage in four-dimensional chess, or even to mystically connect with the “common man.” It’s simply this: He can make Democrats defend anything. Democrats have increasingly defined themselves by opposing anything Trump does. Trump, unlike ... Read More